Oversight Committee Releases Equifax Data Breach Report

On September 7, 2017, Equifax announced a cybersecurity incident affecting 143 million consumers. This number eventually grew to 148 million, nearly half the U.S. population and 56 percent of American adults. On September 14, 2017, the House Oversight and Government Reform Committee opened an investigation into the data breach.

The Committee Republicans last week released a staff report after the 14-month investigation.

The Committee reviewed over 122,000 pages of documents, conducted transcribed interviews with three former Equifax employees directly involved with IT, and met with numerous current and former Equifax employees, in addition to Mandiant, the forensic firm hired to conduct an investigation of the breach.

The full report is available here.

Key findings in the report include:

  • Entirely preventable: Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.
  • Lack of accountability and management structure: Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
  • Complex and outdated IT systems: Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
  • Failure to implement responsible security measurements:Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
  • Unprepared to support affected consumers: After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.

The Committee’s report details seven recommendations to protect consumers, increase oversight, accountability, and transparency, and modernize IT security solutions. These recommendations will require the work of Congress, the executive branch, and the private sector.

CUNA and the state credit union leagues have been pressing Congress to enact legislation to subject retailers to the same data security standards required of credit unions and other card issuers under Graham-Leach-Bliley, and hold them financially accountable for any breaches on their part.